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Alexandria, VA 22313-1450 

REMARKS SUBMITTED WITH PRE- APPEAL BRIEF REQUEST FOR REVIEW 

Claims 1-23 are pending and stand rejected. Applicant requests reconsideration in light 
of the following remarks. 

Section 112 Rejections 

Claims 1-23 were rejected under 35 U.S.C. §112, first paragraph, as failing to comply 
with the written description requirement. (November 28, 2007 Office Action, pg. 2). The Office 
Action states "previous accessed items" is not clearly described in the specification as the 
Examiner has only found support for the limitation "accessed items". This is clearly erroneous. 

Applicant submits that support for an "accessed item" is support for a "previous accessed 
item". That is, an "accessed" item is an item that WAS accessed (i.e., accessed previously). 
Moreover, the specification specifically teaches that a database security analyzer 102 captures 
database access statements issued as a result of interactions between user interface devices 104a- 
104z, applications 106a-106z, and a database and uses the captured statements to determine the 
accessed items and types of access required for each application, (page 4, lines 4-12). The 
simple fact that the analyzer 102 captures issued statements and then uses the captured 
statements to determine accessed items clearly illustrates that the items were previously 
accessed. Thus, the application clearly describes analyzing database access statements that were 
issued for an application during use to determine previous accessed items (see also, Reply to 
Office Action submitted September 7, 2007, page 8, ^2; page 6, lines 4-20). 
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Section 103 Rejections 

Claims 1, 3-10, 12-20, and 22 were rejected under 35 U.S.C. § 103(a) as being 
unpatentable over U.S. Patent No. 6,182,142 Bl to Win et al. ("Win") in view of U.S. Patent 
Application Publication No. 2002/0091798 Al to Joshi et al. ("Joshi"). Applicant respectfully 
disagrees that the claims are unpatentable over the cited references. 

Claim 1 recites "developing a role for the application based on the previous accessed 
items and types of access for the application, wherein when the application is in use by a user, 
the developed role for the application allows the user database access." Neither Win nor Joshi, 
however, teaches at least this feature of the claim. Thus, their combination is also clearly 
insufficient. 

Win teaches controlling access to one or more information resources by identifying a 
subset of resources that the user is authorized to access based on one or more roles that are stored 
in association with user identifying information (Win, column 2, lines 28-33). The roles in Win 
arc developed by listing functions or capacities in which a person might act when they access 
resources and their functional group, department, or organizational unit (Win, column 14, lines 
11-15). Thus, Win fails to teach developing a role for an application , much less developing a 
role based on previously accessed items and types of access . 

The Office Action does state that the Examiner interprets the step of defining a role in 
Win as the claimed operation of developing a role, where the information that is accepted in the 
data entry form corresponds to the accessed items and types of access for the application as 
claimed (Office Action mailed November 28, 2007, page 15). However, this interpretation is not 
supported by the disclosure of Win. Instead, Win teaches that an administrator may complete 
and submit a data entry form for each role to be defined, where roles are developed by listing 
functions or capacities in which a person might act (Win, column 14, lines 8-11, 41-42). Thus, 
Win utterly fails to suggest that a role may be developed based on previously accessed items and 
types of access that were determined from database access statements that were issued for an 
application during the application's use. 

Joshi fails to rectify these deficiencies of Win. The Office Action states that Joshi 
teaches defining a role by defining a role and identifying persons by name (Office Action mailed 
November 28, 2007, page 15); however, Joshi does not teach or suggest that a role may be 
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developed based on previous accessed items and types of access for an application . Instead, 
Joshi teaches that upon authentication or authorization, login information for a particular user 
and a particular application can be added to the HTTP request as header variables (Joshi, ](0016). 
A downstream application can then search the described header variable and automatically 
attempt to authorize the user (Joshi, paragraph 0016). Thus, Joshi teaches adding login 
information for a user to HTTP requests to allow automatic authorization of the user, as opposed 
to teaching how to develop a role , much less developing a role for an application based on 
previous accessed items and types of access for an application . 

The Examiner does state it would have been obvious to one of ordinary skill in the art to 
incorporate Joshi's teachings into the system of Win and that the combination teaches 
developing a role for an application based on previous accessed items and types of access for an 
application. But as discussed, neither Win nor Joshi teaches the recited limitations. Thus, their 
combination fails to teach the limitations (see Reply to Office Action submitted September 7, 
2007, page 8, H5-page9, fl). 

For instance, Win teaches defining roles based on functions users have in an organization 
and identifying a subset of resources that the user is authorized to access based on these roles 
(Win, column 2, lines 31-34, column 14, lines 6-1 1). Similarly, Joshi teaches adding login 
information to an HTTP request (Joshi, paragraph 0016). Combining the teachings of Win and 
Joshi therefore results in developing a role based on functions users have in an organization and 
adding the role to an HTTP request to allow automatic authorization of the user. Thus, the 
combination of Win and Joshi fails to teach or even suggest developing a role for an application 
based on previous accessed items and types of access for an application. Accordingly, claim 1, 
along with its dependent claims, are allowable over the cited art. 

Applicant notes the Examiner's assertion regarding it being improper to attack each 
reference independently. (November 28, 2007 Office Action, pg. 14). But when an applicant 
shows that none of the references teaches a limitation, that is not an improper attack. 

Independent claims 10, 18, and 23 recite limitations analogous to those of claim 1. In 
particular, claim 10 recites developing a role for the application based on the previous accessed 
items and types of access for the application. Similarly, claim 18 recites developing a role for 
the application based on the previously issued database access statements for the application, 
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wherein when the application is in use by a user, the developed role for the application allows a 
user database access. Also similarly, claim 23 recites determining permissions for the 
application based on the previous accessed items and types of access for the application and 
developing a role for the application based on the determined permissions. Accordingly, for at 
least the reasons stated above in connection with claim 1, claims 10, 18, and 23, and their 
corresponding dependent claims, are also allowable over Win and Joshi. 

Claims 3-9 depend from independent claim 1, claims 12-17 depend from independent 
claim 10, and claims 19-20 and 22 depend from independent claim 18 and, hence, contain all of 
the limitations of the corresponding independent claims, which have already been shown to be 
allowable over Win and Joshi. Claims 3-9, 12-17, 19-20, and 22 also contain additional 
limitations not taught by Win or Joshi (see Reply to Office Action submitted September 7, 2007, 
page 10, Tf2-Tf4; Reply to Final Office Action submitted February 1, 2007, page 9, 1|3-1f5). For 
example, claim 5 recites, in part, wherein developing a role comprises determining permissions 
for the application based on the previous accessed items and types of access ." As another 
example, claim 9 recites, in part, detecting an end of the application session and, if an end of the 
application session is detected, disabling the assigned role for the user ." Win and Joshi therefore 
fail to teach at least these features of the claims. Accordingly, the claims are further allowable 
over Win and Joshi. 

Claims 2, 11,21, and 23 were rejected under 35 U.S.C. § 103(a) as being unpatentable 
over Win in view of Joshi, and further in view of U.S. Patent No. 6,665,664 B2 to Paulley et al. 
("Paulley"). (November 28, 2007 Office Action, pg. 10). As already discussed, Win and Joshi 
fail to teach or suggest the limitations of the independent claims. Additionally, as the Examiner 
admits, neither Win or Joshi teaches the limitations of these dependent claims. (Id.) Paulley, 
however, also fails to teach the limitations. Thus, the rejection is insufficient. 

Claim 2 recites "capturing the database access statements; normalizing the database 
access statements; and eliminating redundancies in the database access statements." Paulley, 
however, teaches checking each segment to ensure that each segment contains at least a 
minimum number of repeated references to the same columns or tables before attempting to 
normalize a segment (column 14, lines 46-51). This is not the same as normalizing and 
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eliminating redundancies in database access statements. Thus, the cited references fail to teach 
at least this feature of claim 2, and claim 2 is further allowable over the cited references. 

The Office Action does state that Applicant's arguments amount to a general allegation 
without specifically pointing out how the language of the claims is distinguished from the 
references. Applicant, however, has specifically pointed out how the language of claim 2 is 
distinguished from the references above and in previous replies (see e.g., Reply to Office Action 
submitted September 7, 2007, page 11, ^3-page 12, ]]4). In addition, the Examiner has stated that 
the Win and Joshi do not teach this feature of claim 2 (see e.g., Final Office Action mailed 
November 28, 2007, page 10; Office Action mailed June 7, 2007, page 10). 

CONCLUSION 

Applicant respectfully requests the withdrawal of the rejections and allowance of claims 

1-23. 

The Appeal fee in the amount of $510 is being paid concurrently herewith on the 
Electronic Filing System (EFS) by way of Deposit Account authorization to Deposit Account 
No. 05-0765. Please apply any other charges or credits to Deposit Account No. 05-0765. 

Respectfully submitted, 



Date: February 28, 2008 /William R. Borchers/ 

William R. Borchers 
Reg. No. 44,549 

Fish & Richardson P.C. 

1717 Main Street 

Suite 5000 

Dallas, Texas 75201 

Telephone: (214) 292-4075 

Facsimile: (214) 747-2091 
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